> For the complete documentation index, see [llms.txt](https://malfav.gitbook.io/home/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://malfav.gitbook.io/home/malware-technique/persistence-mechanism/registry-persistence-mechanism.md).

# Registry Persistence Mechanism

Registry persistence mechanisms involve malware modifying the Windows Registry to ensure that it executes automatically whenever the system starts or a user logs in. Here are some common registry-based persistence techniques:

#### 1. **Run Keys**

* **`HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run`**: Entries in this key execute every time any user logs into the system. This key is commonly used for persistent malware.
* **`HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run`**: Similar to the above but specific to the currently logged-in user. Malware targeting this key will run only when that user logs in.

#### 2. **RunOnce Keys**

* **`HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce`**: Entries here run once, and then they are removed from the registry. Malware may use this key to execute and then reinstall itself using another persistence mechanism.

#### 3. **Services**

* **`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services`**: Malware can create a new service or modify an existing one to run malicious code at system startup. This key contains information about all installed services.

#### 4. **Winlogon and Userinit**

* **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`**: Malware may modify the `Userinit` or `Shell` values to include its executable, ensuring it runs every time the user logs on.
  * **`Userinit`**: This value specifies the path of the executable to run at user login.
  * **`Shell`**: This value specifies the default shell executable (e.g., `explorer.exe`), and malware can replace or append its own executable.

#### 5. **Explorer Shell Extensions**

* **`HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved`**: Malware may add entries to this key to integrate with the Windows shell, ensuring that its code is executed when the Explorer shell starts.

#### 6. **Startup Folder**

* Although technically not a registry key, malware can create shortcuts in the Startup folder (`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`) to run on user login. The Startup folder itself can be monitored or modified via registry settings.

#### 7. **Other Registry Locations**

* **`HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run`**: Similar to Run keys, entries here will execute at startup or login.

#### Detection and Mitigation

* **Detection**: Use tools like `Regedit`, `Autoruns`, or `Sysinternals` to inspect registry keys for suspicious entries. Look for unusual paths, executable names, or unknown entries.
* **Mitigation**: Regularly audit registry keys for unauthorized changes, use endpoint protection software to detect and block malicious changes, and employ least privilege principles to limit the ability of malware to make changes.

Registry-based persistence is a common technique due to its ability to survive reboots and user logins, making it crucial to monitor and analyze registry changes for effective malware detection and removal.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://malfav.gitbook.io/home/malware-technique/persistence-mechanism/registry-persistence-mechanism.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
